none
Replaced SSL certificate, but SharePoint metabase still uses the old one?!

    Question

  • I've got a SSL SharePoint 2007 site running, and I need to change the SSL certificate before the old one expires. I have already got the new certificate and installed it into the certificate store. I have as well replaced the old certificate with the new one in the IIS manager.

    Yet when I browse to the site or use SSL Diagnostics to probe the SSL certificate it gives me the old certificate. I even went so far as to delete the old certificate from the local machine certificate store. 

    According to this blog, http://blogs.msdn.com/joelo/archive/2007/01/02/relationship-between-the-iis-metabase-and-sharepoint-configuration-database.aspx, the SharePoint configuration database seems to have a cached copy of the old SSL certificate. The blog seems to give some clarification for how to possibly switch the certificate, but it's a little blurry to me still.

    I'd very much appreciate step by step advice on how I can replace the old certificate in the Sharepoint configuration database with the new one. 

    Synocus
    • Edited by Mike Walsh FIN Tuesday, December 30, 2008 1:31 PM Both references to Urgent removed. The forums are not the place for urgent issues. Instead ring Microsoft Customer Support Services.
    Tuesday, December 30, 2008 1:18 PM

Answers

  • I believe Joel's blog says just the opposite.  I believe his blog says that certificate assignments are in the category of IIS metabase objects that are NOT stored in the SharePoint configuration database.  That is consistent with my experience.  Each time SharePoint creates (or recreates) an IIS Web server, I have to go in and assign (reassign) the cert in IIS.  I suspect IIS is hanging on to the old cert, not SharePoint.  Did you restart IIS after making the certificate replacement?
    Tuesday, December 30, 2008 1:45 PM
  • Hi,
     

    If you don't use a wildcard certificate, please use a wildcard certificate and try again.

     

    If you still have problems on changing the SSL certificate, the workaround should be helpful.

    1.    Create a new web site in IIS

    2.    Having new SSL certificate installed on it and set it to require SSL.

    3.    Using Extend an existing Web application feature in SharePoint and choose the IIS site created in step 2.

     

    If your problems still persists, please let me know more information in order to further research,

    1.    Your SSL certificate type.

    2.    How is your farm topology?

    3.    Have you use more than one SSL sites? If yes, are the certificates are all the same?

    4.    Please let me know the logs in Event Viewer regarding the issue.

     

    Let me know the result if possible.

    -lambert.


    Posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, January 2, 2009 5:35 AM

All replies

  • I believe Joel's blog says just the opposite.  I believe his blog says that certificate assignments are in the category of IIS metabase objects that are NOT stored in the SharePoint configuration database.  That is consistent with my experience.  Each time SharePoint creates (or recreates) an IIS Web server, I have to go in and assign (reassign) the cert in IIS.  I suspect IIS is hanging on to the old cert, not SharePoint.  Did you restart IIS after making the certificate replacement?
    Tuesday, December 30, 2008 1:45 PM
  • Thanks for the answer ETweedy.

    Yes, I have restarted IIS, and it has had no effect at all. The curious thing is, that if the Sharepoint configuration database does not contain a cached copy of the certificate, where is it then? I've manually checked the IIS metabase. The new one is specified there, and it is the only certificate in use, so there can not be any mixing up. I've also removed the old certificate from the local machine certificate store, so I'm having difficulty figuring out any other way for it to use it unless it has some cached copy somewhere.

    Any other suggestions?
    Tuesday, December 30, 2008 2:12 PM
  • I have now tried the following:

    I stopped and then restarted the Windows Sharepoint Services Web Service through the stsadm command (stsadm -o provisionservice -action stop -servicetype SPWebService). I resetted IIS also. When I opened the IIS Manager, I noticed that the SSL site had no certificate specified. So, I went ahead and specified the new certificate.

    When I tried connecting to the site from two different machines (out of which one had never connected), in both cases the site gave the old certificate, which by all means should no longer exist on the server.

    Any help would be appreciated. The old certificate is due to get old on the 12th, and I've got no idea how the SharePoint site will work then.
    Tuesday, December 30, 2008 3:48 PM
  • Hi,
     

    If you don't use a wildcard certificate, please use a wildcard certificate and try again.

     

    If you still have problems on changing the SSL certificate, the workaround should be helpful.

    1.    Create a new web site in IIS

    2.    Having new SSL certificate installed on it and set it to require SSL.

    3.    Using Extend an existing Web application feature in SharePoint and choose the IIS site created in step 2.

     

    If your problems still persists, please let me know more information in order to further research,

    1.    Your SSL certificate type.

    2.    How is your farm topology?

    3.    Have you use more than one SSL sites? If yes, are the certificates are all the same?

    4.    Please let me know the logs in Event Viewer regarding the issue.

     

    Let me know the result if possible.

    -lambert.


    Posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, January 2, 2009 5:35 AM
  • I love how you guys just mark your own bad posts as the accepted answer. You asking questions for further information does not constitute any sort of useful answer.
    Thursday, March 14, 2019 7:45 PM